When an information processing terminal connected to an external network such as the Internet performs remote access to a device connected to an internal network such as a residential local area network, the information processing terminal needs to obtain a global IP address for the external network of a gateway apparatus that intervenes between the internal network and the external network. The information processing terminal uses the obtained IP address as a destination address to access the gateway apparatus.
Usually, a global IP address for a household information processing device for accessing the Internet is dynamically assigned to the information processing device by an Internet service provider (ISP) according to the DHCP (Dynamic Host Configuration Protocol). Thus, the external information processing terminal cannot obtain beforehand the global IP address for the Internet of the gateway apparatus.
In Japanese Patent Application Publication JP 2002-32342 (A) published on Jan. 31, 2002, Maeda has disclosed an authentication system. In this system, when a client inputs a user ID and a password into an information terminal, a dial-up number is obtained so that the information terminal is confirmed. Then, a one-time user ID and a one-time password are generated so that authentication is performed by a firewall server. Accordingly, only authenticated information terminals are allowed to perform data exchange with a host computer via the Internet.
On the other hand, according to a typical method of dynamic DSN service, a gateway apparatus registers its dynamic global IP address with a server having a fixed global IP address for the Internet so that the global IP address of the gateway apparatus is made public. At each time that the global IP address is changed, or alternatively in a regular manner, the gateway apparatus registers or updates its own current global IP address with the server. An external information processing terminal obtains first the dynamic global IP address of the gateway apparatus registered in the server, and then accesses the gateway apparatus using the IP address.
However, when the IP address of a gateway apparatus is registered with a server and made public as described above, the IP address of the gateway apparatus can be known to a third party so that there is a risk that the gateway apparatus can be subject to unauthorized access.
In order to solve this problem, an authentication function may be provided within the server for registration. Then, this server for authentication may determine whether an external information processing terminal has a right to access the gateway apparatus. If it is determined that the terminal has such a right to access, the server transmits to the external information processing terminal a unique URI (Uniformed Resource Identifier) or URL for a WWW service provided by the gateway apparatus. Thus, the server can securely notify the external information processing terminal of the IP address of the gateway apparatus. The external information processing terminal can use the URI to access the WWW service. Thus, the gateway apparatus is secured against unauthorized access by a third party.
The inventors have recognized a problem that, in the above-mentioned method, the external information processing terminal can access only WWW services in the gateway apparatus, but cannot use services oriented toward the internal network devices.
Meanwhile, a server function of a virtual private network (VPN) may be provided within a gateway apparatus. The server function may be adapted so that, when an external information processing terminal attempts a connection over the Internet, a virtual connection is established between the external information processing terminal and the internal network, so that the internal network-oriented service in the gateway apparatus is provided to the external information processing terminal. For this purpose, the external information processing terminal may obtain the IP address of the gateway apparatus in a secure manner from the authentication server as described above. However, while the VPN server function is providing a service to the outside over the Internet, there is a risk that the VPN server can be subject to unauthorized access by a third party to penetrate the internal network. Further, in general, authentication with a password and the like is performed before the VPN connection is established. In this case, different passwords are required for different services. Thus, the number of passwords to be remembered by a user increases with increasing number of services requiring authentication. Thus, the user may forget a password.
The inventors have recognized a need that without increasing user's time and work, a VPN server function of a gateway apparatus should allow an external information processing terminal to more securely access an internal network device-oriented service.
An object of the invention is to allow an internal network device-oriented service to be more securely provided to an external information processing device.